2021-06-11 I will need a fresh raspberrypi install for zigbee2mqtt 4 days ago
I started looking at the instructions for running zigbee2mqtt and the instructions for installing npm/nodejs gave me a lot of error messages on the raspberrypi running in the utility closet and checking the smart meter. It turns out it needs an upgrade from Raspbian jessie. This Raspberry Pi is dedicated to reading the smart meter since August 2016 and it has been running fine gathering the smart meter data. The raspbian forums state that it is better to upgrade by reinstallation on a different SD card. So I guess it's time to rebuild the smartmeter Pi if I want it to run the zigbee sensor network. Update:Read the rest of I will need a fresh raspberrypi install for zigbee2mqtt
I installed all the software on a linux laptop and now I have a running zigbee2mqtt.
2021-06-07 Backup to the home NAS 1 week ago
I still had the unfinished business of not having a good backup when half a filesystem ended in lost+found and it took a whole day to recover from that problem. And I still found missing things today. I have no working tapedrives left, but a good amount of disk storage available. I still like amanda as backup program, so I looked into the vtapes (virtual tapes) option. The sample amanda.conf explains this nicely:# To use vtapes, create some slotN directories (slot0, slot1, etc.) under # /var/amanda/vtapes and use this tapedev: ## tapedev "chg-disk:/var/amanda/vtapes" tapedev "chg-disk:/scratch/nasback/vtapes"So I created those writeable by the amanda user. I try to only backup data that I can't get by a reinstallation. So I backup /etc (configuration), /var (system data), /home (user data) and a few other directories.
2021-06-02 Uncomplicated Firewall (UFW) : don't confuse it or you will be locked out 2 weeks ago
I am looking at better protection inside my home network since there is a mix of "trusted" and "not so trusted" devices in the house. I consider devices that just need Internet access to talk to some server out there (the well-known "cloud" better known as "Someone else's computer") and are (mostly) black boxes untrusted compared to systems that are installed with a known operating system and where I can control what they can and can't do. One of the things I wanted to improve are local host-based firewalls. The firewall in the router linux machine is the result of years of fine-tuning and experience so I manage that by hand. But for somewhat standard hosts I want simple firewalls that are easily managed. I tried ufw, the Uncomplicated Firewall and on the first (test) machine it went fine without a problem. On the second machine where there are already a few active firewall rules managed by fail2ban something hickupped and before I knew it ufw managed to leave me with an unreachable machine. The error message from ufw-init was something about being unable to initialize firewall rule ufw-track-output and the net result was that the machine became unreachable. I needed console access to get back in again. Removing/purging the ufw package didn't help, after reinstalling it and trying again the same error came up and the system was unreachable again. It turns out ufw leaves its own rules in iptables/ip6tables active (prefixed with 'ufw') and this confused ufw-init. I tried removing them by hand (lots of work) or with a very small shell script, but in the end rebooting the machine and only reinstalling ufw after that reboot got me back to a normal usable situation.
2021-05-16 Ending with half a filesystem in /lost+found 1 month ago
Some visitors may have noticed this website wasn't working for about a day. That's because I had to rebuild the webserver. There was a filesystem-related panic somewhere yesterday causing the main filesystem to be mounted read-only. I assumed I could use fsck on the read-only filesystem to get things back to normal again but this turned out wrong: I ended with an unbootable disk and the complete contents of /etc and /home in /lost+found with mostly unusable filenames (numbers). The fastest solution was to rebuild a webserver from scratch and start making things run again. This took most of the day. Yes, I need to get backups working again, even without a tapedrive. The weird part is that this was about a filesystem in a virtual machine and the hardware host shows absolutely no problems at that time and has no problems with the disks backing this storage. Another virtual machine also had issues around the same time, but those did not result in disk problems:sd 0:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_TIMEOUT sd 0:0:0:0: [sda] tag#0 CDB: Write(10) 2a 00 00 88 19 20 00 00 08 00 blk_update_request: I/O error, dev sda, sector 8919328 Buffer I/O error on dev sda1, logical block 1114660, lost async page writeA few days earlier both virtual systems logged a strange timing issue with a hang on all CPUs. I'm also seeing some weird kernel messages on other virtual machines around the same time:wozniak kernel: [5150105.764208] rcu: INFO: rcu_sched self-detected stall on CPUSo I guess it is time for some hardware checks.
2021-05-07 Anti-spam measures blocking legitimate e-mail 1 month ago
I am using fail2ban to deal with spamming attempts. Some of the spam senders are quite good at trying the same stupidity again 3 minutes later because the error codes are just for non-criminal mail senders. My logs kept filling up with the same stupidity over and over and over again. So I set up fail2ban to block the offending IPs to keep my logs readable. But this stopped e-mail based alerts from a certain service. I know, e-mail isn't instant messaging. The error message was:gosper sm-mta: ruleset=check_relay, arg1=xx.xx.xx.xx, arg2=xx.xx.xx.xx, relay=xx.xx.xx.xx [xx.xx.xx.xx], reject=421 4.3.2 Connection rate limit exceeded.This triggered fail2ban directly because I didn't expect normal traffic to exceed this, but the alerts from the service could. So I whitelisted the sending IP in the sendmail access config to make sure the notifications flow. I also updated the specific bit of fail2ban configuration to only block this after three errors.
2021-04-27 HackTheBoxCTF writeup: Forensic challenges (the ones I tried) 1 month ago HackTheBoxCTF writeup: Forensic challenges (the ones I tried)
2021-04-27 HackTheBoxCTF writeup: Hardware challenges 1 month ago
I found a writeup of the HackTheBox & CryptoHack Cyber Apocalypse 2021 I participated in at How HackTheBoxCTF Exposed The Marriage of Saleae And Hardware - Equus 🐴 (Annie) but I did some things a little different so I decided to share how I did it.Read the rest of HackTheBoxCTF writeup: Hardware challenges
2021-04-14 Year 2038 is coming! 2 months ago
Interesting kernel message in Linux today:[ 3906.977410] ext2 filesystem being mounted at /media/koos/disk supports timestamps until 2038 (0x7fffffff)So that filesystem (and lots of others) will give issues in 2038. Things need work before that date!
2021-03-27 I bought a secondhand morse paddle and made a video about it 2 months ago
For a while I had a notification set for someone selling a morse paddle. Finally one came along at a reasonable price so I bought it. And.. I mentioned this detail to some people at work. Who had an idea of what a morse key is, but didn't know about morse paddles. So with my big mouth I said "I'll make a video about it". This was triggered by the fact that I recently learned about OpenShot non-linear video editor which is available for Linux too. So I created a video. And found out making a video of 30 seconds is a lot more work than 30 seconds. I watched some tutorial videos about OpenShot first and thought about what I wanted to show. I haven't added spoken comments because I didn't feel like doing those too. The video isn't great, I can see several beginner mistakes. But I get the point across of what a paddle does. There is a continuity problem because I used sunlight. Which isn't very constant. And I made several clips because I didn't think I would get everything I wanted to show right. But now there are changes in light and a bit in camera angle, even with using a tripod. And our neighbours were busy hammering indoors, so that can be heard too.
2021-03-17 Upgraded another system at home, now serving webpages with TLSv1.3 3 months agoItems with tag linux before 2021-03-17
After the recent work on updating the TLS settings for the webservers at home there was one element missing: TLSv1.3 support. This needed an upgrade of openssl and the 'easy' way to get there was a full upgrade of the server running the external facing proxy. So I took that step yesterday evening. Made a snapshot first and started upgrading devuan ascii to beowulf. After the update a lot of things were broken: I defined a non-standard location for bind9 logging and AppArmor disagreed. Without a working nameserver a lot of stuff breaks internally! So after managing to get on the upgraded system with console I changed the AppArmor rules to allow it. After that things started again. For the next time I manage to break the resolving nameserver: I should remember that avahi/multicast dns works on most systems even when DNS resolving fails. I checked and I can use .local names to get to the right equipment. After checking how everything is running for about a day I threw out the old snapshot.